A new form of malware has been discovered that explicitly targets Apple developers. It’s called “XcodeSpy” and it’s used to install a backdoor into macOS (via ArsTechnica).
Mac Xcode Malware
Xcode is a Mac tool that helps developers create apps for Apple operating systems. This malware copies a legitimate, open source project called TabBarInteraction. It makes it easier for developers to animate iOS tab bars based on user interaction.
When this malicious project is launched, a script contacts a command and control server (C&C). This causes it to download a backdoor called “EggShell” which spies on users via their camera, microphone, and keyboard. Two variants of this malware dubbed “XcodeSpy” have been found in the wild. The first one was found on August 5, 2020, and the second October 13, 2020.
Security researchers from SentinelOne discovered this malware, writing:
For reasons of confidentiality, we are unable to provide further details about the ITW [in the wild] incident. However, the victim reported that they are repeatedly targeted by North Korean APT actors and the infection came to light as part of their regular threat hunting activities.